Symmetric encryption

Symmetric (or conventional) encryption ensures that each of sides in data exchange process uses exactly the same keys for encrypting and decrypting data. Symmetric encryption may be powered by different algorithms. For some time, widely used algorithms were DES (Data Encryption Standard), 3-DES (triple DES), RC2 and RC4. Today AES (Advanced Encryption Standard) is considered to be the most effective and secure.

A few words about AES

The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plaintext into the final output of ciphertext. Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

When two sides decided to use AES for data encryption, one of them generates a symmetric key. Symmetric key is a suit of random numbers, which defines the sequence of transforming data when it's encrypted (or decrypted). AES supports keys of different bit-length: 128 bit, 192, 256 and recently researchers started to talk of 512-bit AES keys. Obviously the longer key length is – the longer time it would take to break the cypher, thus, the more secure it is.

Without knowledge of relevant symmetric key it's very-very hard to break the cypher. Moreover, AES is very fast because it doesn't require much of computational power.

Tricks

Seems everything is good with this method, but one little thing. Each of both sides of data exchange needs to have a copy of symmetric key. E.g. one user should send the key to another user somehow. It may be sent by regular mail or delivery man (sounds ridiculous). The key may be sent via Internet where hackers of all kinds and flavors live, and which is flooded with versatile viruses and sophisticated malware.

Man-in-the-middle

Sending symmetric key “as is” is vulnerable because it may be easily intercepted. On the Internet when the key is being sent some intruder may cut in, do a switch-up and substantially affect data exchange. You, probably, will not even guess that your communication is being watched.

There is no way to check true user's authentication. No guarantee you communicate with the “right” person. You think that send information to the server and in fact it falls directly into hacker's hands. Server “thinks” that it dialogues with you, meanwhile sends information to the hacker.

The phone sends encryption key “as is” to the server. Man-in-the-middle captures the phone’s encryption key, replaces it with the false encryption key and sends it to the server. When server needs to send encrypted message to the phone, it uses hacker’s encryption key to encrypt data. Man-in-the-middle intercepts the message from the server, decrypts it with own key, encrypts is with the phone’s key and sends it to the phone.

Fear not. The solution is at hand

As sending symmetric key "as is" is not secure – it's sent as encrypted piece of data. Obviously, encrypting symmetric key with the same symmetric algorithm is a monkey business. For key exchange they use asymmetric encryption. Using symmetric encryption in combination with asymmetric cryptography is called hybrid encryption.